Slashdot Mirror
Domain Key Identified Mail vs Phishing
alphadogg writes "Some of the Internet's most powerful companies — including Yahoo, Google, PayPal and AOL — are brandishing a new weapon in the ongoing battle against e-mail fraud. DKIM is an emerging e-mail authentication standard developed by the IETF. DKIM, which stands for DomainKeys Identified Mail, allows an organization to cryptographically sign outgoing e-mail to verify that it sent the message. DKIM addresses one of the Internet's biggest threats: e-mail fraud. As much as 80% of e-mail that purports to be from leading brands, banks and ISPs is spoofed, according to a report released in late January by the Authentication and Online Trust Alliance (AOTA)."
... until everybody starts using it! It might help, but all your friends and family won't use it so you cannot rely fully on this alone.
...in the fight against spammers. I am all for it. Will this be the end-all-be-all tool? No, such a thing does not exist in the world of the inter-tubes, but if it can stop the majority of spoofing, then it is a good start.
Bearded Dragon
You forgot to add "Your idea will be patented by someone else and you will be sued into oblivion" under reasons this won't work...
Seven Days with Ubuntu Unity
I can see that this might help to reduce false positives (i.e. legitimate mail misclassified as spam), but I don't see how it can reduce false negatives (i.e. spam misclassified as legitimate mail). Basically it's similar to SPF but with cryptographic protection.
If the "big" spam targets (Paypal, Ebay and Amazon spring to mind) and the big mail providers (GMail, Hotmail, AOL etc) work together, it might reduce the amount of spam as well; for example, Paypal could state that *all* of their Mail will be signed with DomainKeys; Gmail could then immediately put all non-signed mail from Paypal into the spam folder (or reject it).
Since more and more people are using the big providers for their personal E-Mail, it might help with false positives there too.
It will not help with E-Mail from Domains not using DomainKeys, for domains set up by spammers (they can DomainKeys as everybody else) and for "small" domains, i.e. not deemed important enough by the big players to be listed as "non-spamming".
If the big players really work together on this, it might reduce spam a little but it will also damage the small players; since they're not whitelisted, their E-Mail is more likely to be classified as spam. Which makes the big players more attractive, so more people will use them and so on. It leads to a centralization of E-Mail.
I'm not sure whether this is good or bad.
Actually, I think they'll see this as a business opportunity. The risk here seems to me not that it will fail, but that it will succeed. That is, that people will start to only trust those big few who can afford to create such an identification mechanism. That will lead to the big ones reaffirming their "portal" role and making it harder for new entrants to achieve legitimacy. On a claim that new entrants are dangerous, it won't surprise me if (as with the network neutrality issue), the big ones jump in and say it's essential that they have special status. They like being special and competing among their (predictable) friends.
I like this technological proposal, btw. I just think it will, like all things, require some refinement before it's really working. But it sounds like a step forward. And at the same time something to be wary of ... in a calm way.
Kent M Pitman
Philosopher, Technologist, Writer
TFA is about "phishing" which is slightly different from "spam" even though both use bulk email methods.
... while only increasing your legit email rejection count a slight bit. You are "winning" against spam. Or it appears that way.
The first problem with blocking "spam" is that there is so much of it (80%+ of all email is spam) that just about any stupid idea will result in a decrease in total spam received. Suppose you refuse to accept any email on odd-numbered dates. Since 80%+ of the email coming in was spam anyway, you've reduced your total spam message count
The second problem is that an approach that works for ONE sub-category will NOT work on a different sub-category.
Example, spam from Gmail is not stopped by greylisting even though greylisting is fairly effective at blocking spam zombies.
Will Domain Keys block spam? No.
Domain Keys will only help against a specific sub-category and only when configured correctly and verified correctly.
I think the hope is that your ISP will already have thrown the email away on your behalf, so you'll not even get to read it.
J.
You're only jealous cos the little penguins are talking to me.
I'd be very surprised if it was any less than 98% fake.
Je fume. Tu fumes. Nous fûmes!
Except that spoofed mail isn't necessarily bad. I have a gmail account which I use to aggregate a couple of other email addresses that I commonly send messages from and receive mail to. Gmail allows me to send messages out with these addresses after an email exchange with the address to verify that I have access and permission to perform that activity. Preventing spoofing will mean I have to use the actual accounts themselves, which is at best inconvenient.
Actually... your SPOT FUCKING ON, pardon my french. At least IMO.
I am a power user. I have a static IP with a Sonicwall router at home. If my connection was doing something funny, and I don't mean P2P or IP protection/copyright filter/bullshit, I would would feel perfectly fine with an http redirect informing me of the problem, offering a download of the logs, and suggestions on how to fix it. I call that a sign of a responsible ISP. They don't even need to shutdown the whole service, just redirect the HTTP requests.
As for the many non-local SMTP connections, that policy could easily allow email services outside of the ISP. Not many people run their own mail servers, but I feel perfectly justified as a mail server administrator in forcing good security practices on any mail server wishing to operate in a legit fashion. If you have a small business, a static IP address is not that much more money. If it is a remote office location, you can always send all email securely to a gateway. Setting up a DNS properly and running a legit domain is not hard to do either. Basically, they have the right to run a crappy non-conforming mail server, and I have the right to blacklist them into oblivion. Furthermore, it costs practically next to nothing these days to get hosted email services, which allows you have to have a gateway anyways.
In any case, I think that your right. Thousands of outbound email sessions on port 25 is incredibly suspicious for a residential user, as is DDOS and other types of easily recognizable behavior.
As for it flying with commercial users the answer is not so simple. If you are referring to co-located services, I think upstream bandwidth providers already reserve the right to shutdown if you start causing network problems. You are supposed to know better and be watching your systems. I think I am certainly held to a higher level of expectations than anybody using a residential or business ISP account. So commercial users are at a whole different level.
Now high-end users, and business acounts, should be treated exactly the same as low end users. My systems are fairly secure, but I am knowledgeable enough to know that nothing is impossible. I know with enough processing power you could crack the WPA encryption on my access points and gain access to my networks. I use virtualized XP machines to do any questionable surfing/torrents/programs, so I am reasonably sure that any malware, or even rootkits get destroyed before they can do permanent damage.
Even with that being said, I would WELCOME the ISP causing a redirect if my network was to start sending out suspicious traffic. I would actually want that. Hell, I would actually pay a few dollars a month extra for that service.
The more I think about your idea, the better it sounds. I don't think your missing anything.